b'OFFICE OF INSPECTOR GENERAL\n\n               Audit Report\n\n\nAudit of Internal Control Over Accounts Payable\n\n               Report No. 09-03\n                March 31, 2009\n\n\n\n\n RAILROAD RETIREMENT BOARD\n\x0c                                           INTRODUCTION\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) audit of\ninternal controls for the recording and payment of non-benefit, non-payroll\nadministrative expenses at the Railroad Retirement Board (RRB).\n\nBackground\n\nThe RRB is an independent agency in the executive branch of the Federal government.\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct (RRA) and the Railroad Unemployment Insurance Act (RUIA). These programs\nprovide income protection during old age and in the event of disability, death, temporary\nunemployment or sickness. The RRB paid approximately $10.2 billion in\nretirement/survivor and unemployment/sickness benefits to 628,000 beneficiaries during\nfiscal year (FY) 2008. The RRB is headquartered in Chicago, Illinois and has 53 field\noffices nationwide.\n\nThe RRB prepares annual financial statements in accordance with generally accepted\naccounting principles for Federal entities prescribed by the Office of Management and\nBudget (OMB) and the Federal Accounting Standards Advisory Board (FASAB).\n\nInternal control is an integral component of an organization\xe2\x80\x99s management that provides\nreasonable assurance concerning the effectiveness and efficiency of operations,\nreliability of financial reporting and compliance with applicable laws and regulations.\nPursuant to the provisions of the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982, the\nGovernment Accountability Office (GAO) has issued \xe2\x80\x9cStandards for Internal Control in\nthe Federal Government.\xe2\x80\x9d 1 These standards provide the overall framework for\nestablishing and maintaining internal control and for identifying and addressing major\nperformance and management challenges.\n\nThe Bureau of Fiscal Operations (BFO) is responsible for processing payments to the\nvendors and suppliers that provided goods and services to the RRB. During FY 2007,\nBFO processed 19,611 transactions totaling $16.5 million for non-payroll and non-\nbenefit administrative expenses. Because of its monetary nature, the accounts payable\nfunction directly impacts financial statement reporting and is susceptible to fraud, waste\nand abuse.\n\nThe Federal Financial System (FFS) is the mainframe application that supports the\nagency\xe2\x80\x99s financial management operations including purchasing, accounts payable and\nfinancial statement reporting. FFS includes features that support transaction recording\nand monitoring. The FFS purchasing subsystem controls the activities in the\nprocurement process, including requesting goods and services (commitments), ordering\ngoods and services (obligations), recording the receipt of goods and services\n1\n    \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d GAO/AIMD-00-21.3.1 (11/99).\n\n\n                                                    1\n\x0c(receivers) and recording the receipt of vendor invoices (invoices). Within the RRB,\nBFO is the organizational owner of FFS and the FFS administrator is an employee of\nthat bureau.\n\nThe RRB pays benefits by reason of disability to certain qualifying individuals under the\ndisability provisions of the RRA. The Disability, Sickness and Unemployment Benefits\nDivision (DSUBD), within the Office of Programs, relies on medical examinations and\nconsultative opinions provided by independent medical experts to support its decision-\nmaking process. The FFS Application for Medical Exams (FAME) is a personal\ncomputer application that supports the ordering, acceptance and payment approval\nprocess for these services. FAME interfaces directly with FFS to electronically record\nthe obligations, accounts payable and related vendor payments.\n\nThis audit supports the OIG\xe2\x80\x99s annual audit of the RRB\xe2\x80\x99s financial statements. The\nRRB\xe2\x80\x99s strategic plan prescribes effectiveness, efficiency and security of operations as\nobjectives within the agency\xe2\x80\x99s larger goal of serving as responsible stewards of the trust\nfunds and financial resources under agency control. This audit supports those\nobjectives.\n\nAudit Objective\n\nThe audit objective was to determine whether internal control was adequate to ensure\nthat accounting for non-benefit, non-payroll, administrative expenses was complete,\naccurate and timely.\n\nScope\n\nThe scope of our audit was limited to payment vouchers and direct disbursements\nrecorded during the first quarter of FY 2008. The scope of our work specifically\nexcluded employee payroll, employee travel and payments to program beneficiaries.\n\nMethodology\n\nTo accomplish our objective, we:\n\n   \xe2\x80\xa2    identified the laws, regulations and procedures applicable to accounts payable;\n   \xe2\x80\xa2    identified and tested selected internal controls over RRB\xe2\x80\x99s administration of\n        accounts payable;\n   \xe2\x80\xa2    interviewed responsible officials;\n   \xe2\x80\xa2    conducted walkthroughs and assessed the effectiveness of the accounts payable\n        and disability payment processes;\n   \xe2\x80\xa2    identified and reviewed management\xe2\x80\x99s control activities;\n   \xe2\x80\xa2    statistically sampled payments processed and recorded in order to test the\n        applicable internal controls (See Appendix I);\n\n\n                                             2\n\x0c   \xe2\x80\xa2   tested selected aspects of agency compliance with requirements applicable to\n       certain subgroups such as high-value accounts payable transactions greater than\n       $100,000 (See Appendix II);\n   \xe2\x80\xa2   reviewed documentation related to payment transactions;\n   \xe2\x80\xa2   reviewed monitoring activities related to the quality and timeliness of payments;\n   \xe2\x80\xa2   studied the configuration of FFS security settings and user profiles;\n   \xe2\x80\xa2   tested the implementation of FFS security settings and user profiles;\n   \xe2\x80\xa2   identified and tested selected controls over high-dollar payments;\n   \xe2\x80\xa2   tested compliance with agency policies and procedures and applicable laws and\n       regulations; and\n   \xe2\x80\xa2   assessed the adequacy of the agency\xe2\x80\x99s existing policies and procedures related\n       to accounts payable transactions.\n\nWe conducted this audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\nWe conducted our fieldwork at the RRB\xe2\x80\x99s headquarters in Chicago, Illinois from\nNovember 2007 to February 2009.\n\n\n\n\n                                           3\n\x0c                                    RESULTS OF AUDIT\n\nOur audit disclosed that internal controls over payments were not adequate to ensure\nthat accounting for non-benefit, non-payroll administrative expenses was complete,\naccurate and timely because the controls were either not sufficient or not operating as\ndesigned.\n\nOur audit found that controls could be strengthened in the following areas:\n\n      \xe2\x80\xa2   Segregation of Duties\n      \xe2\x80\xa2   Payment Authorization\n      \xe2\x80\xa2   Medical Vendor Payment Functions\n      \xe2\x80\xa2   FAME System Audit Trail\n      \xe2\x80\xa2   Supporting Documentation for Payments\n      \xe2\x80\xa2   Management Control and Related Reviews\n      \xe2\x80\xa2   Employee Social Security Number (SSN) Exposure\n      \xe2\x80\xa2   Policies and Procedures\n      \xe2\x80\xa2   Electronic Receivers\n\nIn addition, we identified opportunities for improvement in the following areas:\n\n      \xe2\x80\xa2   Timeliness of Payments\n      \xe2\x80\xa2   Prompt Payment Quality Assurance Reviews\n\nThe details of our findings and recommendations for corrective action follow. The full\ntext of managements\xe2\x80\x99 response is included in this report as Appendices III, IV, and V.\n\nSegregation of Duties for Certain Purchasing Activities Could Be Improved\n\nAlthough FFS security includes features that provide for segregation of duties,\nmanagement\xe2\x80\x99s implementation undermines their effectiveness.\n\nKey duties and responsibilities need to be divided or segregated among different people\nto reduce the risk of error or fraud. This should include separating the responsibilities\nfor authorizing transactions, processing and recording them, reviewing the transactions\nand handling any related assets. No one individual should control all key aspects of a\ntransaction or event. 2\n\nThe ability to enter and approve transactions is controlled through the FFS security\nprofiles of the various users. The privileges of each authorized user of FFS are\ncontrolled by security profiles established within FFS by the system administrator. FFS\nprovides for transaction-level security that requires various levels of approval, including\nmultiple levels of approval for certain high-dollar transactions. In addition, the standard\n\n2\n    \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d GAO/AIMD-00-21.3.1 (11/99) page 14.\n\n\n                                                    4\n\x0cuser profiles are configured to separate critical activities. For example, the system\nadministrator has established standard access profiles that prevent most users who can\nrequisition goods and services from entering a purchase order.\n\nIn addition, FFS may be configured to require multiple levels of approval to fully process\na requisition depending on the dollar value of the transaction. Standard access profiles\nare configured to prohibit approval of a transaction by the same person who initially\nentered it and to require that each successive level of approval be applied by a different\nauthorized user. However, the FFS administrator sometimes grants privileges that are\nnot consistent with these standard settings.\n\nDuring our audit, we identified one individual who had been granted privileges under\nthree security profiles permitting them to enter and approve requisitions and obligate\nbudgetary resources, in any amount, without the approval of anyone else.\n\nPurchase orders over $10,000 require two levels of approval. Our review of FFS user\nprofiles disclosed two individuals who had been granted privileges permitting them to\nenter a purchase order and apply both levels of approval. The system is similarly\nconfigured for payment vouchers, requiring a second approval for payments over\n$100,000. Our review identified one user who had been granted privileges permitting\nthem to enter a payment voucher and apply both levels of approval. As a result, these\nusers are able to process transactions to completion without involving any other\nemployee, which is inconsistent with proper segregation of duties. In addition,\npermitting one person to apply both levels of approval defeats the purpose of requiring a\nsecond approval for large transactions.\n\nWhen a single individual controls both the entry and approval of a single transaction, too\nmuch control over key aspects of the acquisition process is vested in a single individual.\n\nAlthough FFS provides for adequate segregation of duties and additional scrutiny of\nhigh-dollar transactions, management has awarded system privileges in a manner that\ncircumvents these controls. As a result, management has not ensured that their control\nobjectives will be achieved.\n\nRecommendations\n\nWe recommend that BFO:\n\n   1. identify all individuals who have been awarded FFS privileges that are\n      incompatible with proper segregation of duties; and\n   2. work with agency management to eliminate FFS user privileges that violate the\n      principles of segregation of duties.\n\n\n\n\n                                            5\n\x0cManagement\xe2\x80\x99s Response\n\nWith regards to recommendations 1 and 2, BFO responded that each year they perform\nan FFS security audit requesting agency management to review the security profile\ninformation for FFS users in their organization and provide BFO with any changes,\nadditions, and deletions. BFO notes that the responses and documentation of actions\ntaken are then provided to the RRB\xe2\x80\x99s Chief Security Officer. For the 2009 security\naudit, BFO has agreed to ask agency management to identify individuals who have\nbeen awarded FFS privileges that are incompatible with proper segregation of duties\nand eliminate such user privileges. BFO notes that additional FFS privileges may have\nbeen awarded to users in a given organization due to the small size of that organization\nand that the organization may have compensating controls.\n\nOffice of Inspector General\xe2\x80\x99s Comments on Management\xe2\x80\x99s Response\n\nWith respect to BFO\xe2\x80\x99s proposed implementation plan, we are concerned that it will not\nachieve the intent of the recommendation because the determination of proper\nsegregation of duties is distributed throughout the agency rather than residing with the\nsystem owner.\n\n\nPayment Authorization Is Not Adequately Controlled\n\nControls are not adequate to ensure that only designated or authorized individuals\ncertify invoices for payment.\n\nTransactions and other significant events should be authorized and executed only by\npersons acting within the scope of their authority. 3 RRB Administrative Circular OA-14\ndated June 13, 2007 and updated on January 24, 2008 (which outlines the manual\nprocedure for the receipt and acceptance of goods and services and the resulting\ncertification for payment) requires that invoices first be date stamped and forwarded to\nthe designated person in the receiving bureau/office for certification. The employee\nshall certify the invoice as proper for payment by including the dollar amount for\npayment, the Purchase Order/Contracts (PC) or Service Order (SO) number, their\nsignature and the date accepted.\n\nDuring our audit, we observed that:\n\n      \xe2\x80\xa2   the accounts payable unit does not authenticate the certifier\xe2\x80\x99s signature;\n      \xe2\x80\xa2   the accounts payable unit does not confirm that the certifier is the designated or\n          authorized individual for the receiving bureau or office before processing the\n          payment; and\n      \xe2\x80\xa2   the payment voucher approval threshold was set at $100,000 even though the\n          average value of the 4,769 payments in the audit universe was only $1,198.\n3\n    \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d GAO/AIMD-00-21.3.1 (11/99) page 14.\n\n\n                                                    6\n\x0cWe also identified one payment in our non-statistical sample of high-value payment\ntransactions, valued at $1,025,180 that was processed by an accounts payable clerk\nwho neither authenticated the certifier\xe2\x80\x99s signature nor verified that the certifier was\nauthorized to certify the transaction.\n\nMoreover, we noted that the various segments of the purchasing/payment life cycle,\nsuch as requisitions, purchase orders and payment vouchers, required multiple\napprovals based on certain dollar thresholds. However the manual certification process\ninvolved only one certifier and no additional approvals, regardless of the amount of the\ninvoice.\n\nThe lack of:\n   \xe2\x80\xa2   a list of individuals who are authorized to certify invoices;\n   \xe2\x80\xa2   signature cards to authenticate their signatures;\n   \xe2\x80\xa2   meaningful dollar thresholds for approvals; and\n   \xe2\x80\xa2   multiple approvals for higher dollar invoices\nincreases the risk of erroneous, fraudulent, or unauthorized payments.\n\nRecommendations\n\nWe recommend that BFO:\n\n   3. develop and maintain a list of designated certifiers, obtain signature cards for\n      these individuals and require that higher dollar hard copy invoices be subject to\n      multiple approvals before they are processed for payment; and\n   4. establish more reasonable dollar thresholds for payment approvals to mirror the\n      thresholds used in other steps of the procurement life cycle.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Fiscal Operations has agreed to work with agency management to\nimplement recommendation 3. They note that a revision to Administrative Circular\nOA-14 may be required.\n\nIn response to recommendation 4, the Bureau of Fiscal Operations plans to review the\ndollar thresholds for payment approvals and make adjustments as necessary.\n\n\n\n\n                                              7\n\x0cDisability Medical Vendor Payment Functions Are Not Properly Controlled\n\nThe FAME 4 system, which is used to control the purchase and payment of medical\nexaminations and consultative opinions in support of the RRB\xe2\x80\x99s disability program, does\nnot provide for adequate segregation of duties.\n\nKey duties and responsibilities need to be divided or segregated among different people\nto reduce the risk of error or fraud. This should include separating the responsibilities\nfor authorizing transactions, processing and recording them, reviewing the transactions\nand handling any related assets. No one individual should control all key aspects of a\ntransaction or event. When duties cannot be separated, compensating controls should\nbe in place.\n\nDuring our audit we observed that a single disability claims examiner may order and\napprove payment for medical examinations and consultative opinions, thus controlling\nall key aspects of the transaction. In addition, no second level of approval is required.\nWe also observed that individuals other than claims examiners may place orders and\nthat applicable policies and procedures do not articulate responsibility for placing such\norders.\n\nSegregation of duties was not built into the system when it was designed and the\nmanagement control review process did not disclose this deficiency. In addition, the\nDisability Claims Manual and FAME system procedures do not:\n\n             \xe2\x80\xa2   clearly identify and define the roles and responsibilities of the staff in the\n                 process;\n             \xe2\x80\xa2   define levels of system access; or\n             \xe2\x80\xa2   address segregation of duties for the order, receipt, acceptance and\n                 payment of medical examinations and consultative opinions.\n\nAs a result, there is an increased likelihood that the RRB may pay for unnecessary\nservices.\n\nRecommendations\n\nWe recommend that the Office of Programs:\n\n      5. segregate duties to prevent the same employee from ordering and accepting\n         medical examinations and consultative opinions, implement second level\n         approvals on orders and acceptances of medical examinations and consultative\n         opinions, or develop an effective compensating control to ensure the agency\n         does not pay for unnecessary services; and\n\n\n\n4\n    FFS Application for Medical Exams (FAME)\n\n\n                                                 8\n\x0c    6. revise policies and procedures to fully articulate which job descriptions have\n       authority for ordering medical examinations and consultative opinions so that the\n       policies and procedures correspond with actual practice and FAME system\n       utilization.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs responded that the procedure to have a single examiner both\norder exams and approve them for payment is an intended practice as they believe that\nthe examiner is best qualified to determine if the product received meets the requestor\xe2\x80\x99s\nexpectations. However, they have advised us that to preclude ordering unnecessary\nservices, they have a control in place to review medical examination requests that\nexceed five examination requests for a single disability case. The Office of Programs\nhas agreed to develop a plan for an additional compensating control.\n\nThe Office of Programs has also agreed to revise procedures to include job\ndescriptions, such as field office and headquarters clerks, that have the authority to\nenter examination requests. They have advised us that only claim examiners are\nauthorized to process payments for examinations and there is no change in that\nauthority.\n\n\nFAME System Audit Trail Is Not Fully Reliable\n\nThe FAME system does not maintain a reliable audit trail for all transactions. An audit\ntrail is a detailed record of transaction processing which should include the identities of\nthose initiating and approving each transaction.\n\nThe National Institute of Standards and Technology (NIST) has published standards\nthat require Federal agencies to:\n\n    \xe2\x80\xa2   create, protect and retain information system audit records to the extent needed\n        to enable the monitoring, analysis, investigation and reporting of unlawful,\n        unauthorized, or inappropriate information system activity; and\n    \xe2\x80\xa2   ensure that the actions of individual information system users can be uniquely\n        traced to those users so they can be held accountable for their actions. 5\n\nDuring our audit, we observed that when a consultative medical opinion is ordered via\nthe FAME system, the \xe2\x80\x9cEntry Clerk\xe2\x80\x9d field is not system-generated; the clerk manually\nenters their user identifier. This occurs because the FAME system is not programmed\nto automatically pre-fill the \xe2\x80\x9cEntry Clerk\xe2\x80\x9d field with the active user identifier and secure\nthe field against changes.\n\n\n5\n NIST Federal Information Processing Standards Publication 200 \xe2\x80\x9cMinimum Security Requirements for\nFederal Information and Information Systems,\xe2\x80\x9d (03-09-06) page 2.\n\n\n                                                 9\n\x0cAs a result, management cannot know with any certainty who actually ordered opinions\nand accountability for transaction processing is compromised.\n\nRecommendation\n\nWe recommend that the Office of Programs:\n\n    7. review FAME system programming and request revisions to ensure that the\n       active user identifier is automatically captured for each transaction and secured\n       against change.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs has agreed to review the FAME system to determine when\nrevisions can be made. They note, however, that other priorities make it difficult to\nproject when system revisions could be completed.\n\n\nPayment Documentation Needs Improvement\n\nProper order authorization forms, evidence of receipt and acceptance and payment\napprovals supporting medical examinations and consultative opinions are not always\nmaintained in the claim folders. In addition, the manual certification of some invoices for\nnon-medical goods and services was incomplete or lacked adequate documentation to\nsupport the amount paid.\n\nFederal standards for internal control require that all transactions and other significant\nevents be clearly documented and readily available for examination. 6 More specifically,\ntransactions and significant events need an audit trail. \xe2\x80\x9cAn audit trail is the evidence\nthat demonstrates how a specific transaction was initiated, processed, recorded and\nsummarized.\xe2\x80\x9d 7\n\nDuring our audit, we observed that:\n\n    \xe2\x80\xa2   two of the five high-value payments that were non-statistically sampled and\n        reviewed lacked complete documentation to support the amount paid;\n    \xe2\x80\xa2   eight of the twenty-eight non-medical payments statistically sampled and\n        reviewed lacked proper approval for payment; and\n    \xe2\x80\xa2   four of the seventy-seven medical case files statistically sampled and reviewed\n        did not contain the appropriate supporting documentation for vendor payments.\n\n\n\n6\n  \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d GAO/AIMD-00-21.3.1 (11/99) page 15.\n7\n  GAO/The President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE) \xe2\x80\x9cFinancial Audit Manual,\xe2\x80\x9d Section 260,\n\xe2\x80\x9cIdentify Risk Factors,\xe2\x80\x9d GAO-08-585G, Volume 1, July 2008, page 260-9.\n\n\n                                                  10\n\x0cThe Office of Programs\xe2\x80\x99 procedures note that FAME order and payment confirmation\nscreens will automatically print for file documentation purposes and specifies that\ndocumentation supporting these transactions be maintained within claim folders.\n\nDue to human error, the procedure to put the documentation in the folder is not always\nfollowed.\n\nLack of adequate documentation represents non-compliance with the RRB\'s policies\nand procedures, weakens the operational audit trail and limits the effectiveness of\nmanagement oversight. If accounts payable documentation is inadequate, transactions\nmay be incorrectly perceived as incomplete, unpaid, duplicated, lacking approval, or\nimproperly recorded.\n\nRecommendations\n\nWe recommend that the Office of Programs:\n\n   8. re-communicate to the appropriate staff that all order authorization forms,\n      evidence of receipt and acceptance and payment approvals supporting medical\n      examinations and consultative opinions need to be maintained in the files.\nWe recommend that BFO:\n   9. ensure that manually certified invoices and other payments include adequate\n      back-up documentation to support the amount paid; and\n   10. re-communicate to all certifiers that, to be complete, the manual certification must\n       include a signature, the date of acceptance, reference to the applicable purchase\n       order or service order and the amount approved for payment.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs concurs with this recommendation and has agreed to include a\nreminder to disability examiners to place all evidence in the claim folders on the agenda\nfor their next monthly training.\n\nBFO plans to discuss with the OIG staff and then work to ensure that manually certified\ninvoices and other payments have adequate documentation to support the amount paid.\n\nBFO plans to re-communicate the requirements for manual certifications, which are in\nAdministrative Circular OA-14, to certifiers of invoices.\n\n\nManagement Control and Related Reviews Need to be Updated\n\nA complete management control review and related risk assessment had not been\ncompleted for the accounts payable unit in at least ten years.\n\n\n\n                                           11\n\x0cA comprehensive system of internal control includes a risk assessment process,\nimplementation of appropriate control activities and monitoring to assess the quality of\nperformance over time. The RRB has established a Management Control Review\nCommittee (MCRC) to oversee the agency\xe2\x80\x99s internal control assessment process and\nprovide guidance to managers in performing the individual evaluations that support the\nassessment of the adequacy of internal control agency wide.\n\nIssues related to outdated management control reviews were previously reported in an\nOIG report dated April 30, 2007. 8 In response to this report, the MCRC established\nupdated policies and procedures in December 2007. 9 These updated policies required\nthat each assessable unit be reviewed once every five years, or more frequently based\non risk, and that the MCRC maintain the schedule of when each assessable unit is due\nfor review. 10 During the management control reviews, the control objectives are to be\nidentified or developed for each assessable unit and are to be logical, applicable and\nreasonably complete, taking into consideration the financial assertions of existence and\noccurrence, completeness, rights and obligations, valuation or allocation and\npresentation and disclosure. 11 Lastly, the new policies allowed for extensions of due\ndates for the management control reviews as long as the request for extension was in\nwriting, included a reason for the delay and was approved by and submitted through an\nExecutive Committee member.\n\nDuring our audit we observed that:\n\n    \xe2\x80\xa2   the last complete management control review and the related risk assessment for\n        accounts payable was completed in April 1998;\n    \xe2\x80\xa2   although BFO had completed a risk assessment only for the Accounts Payable\n        Assessable Unit in May 2007, this risk assessment was incomplete in that it did\n        not include supporting documentation for the workload data reported;\n    \xe2\x80\xa2   the data used for this 2007 risk assessment was from FY 2006, which was the\n        most current at the time. However, current drafts of an in-process risk\n        assessment, to be used as part of the next management control review, still\n        contain FY 2006 data and have not been updated; and\n    \xe2\x80\xa2   the RRB\xe2\x80\x99s MCRC approved an extension to FY 2009 for the Accounts Payable\n        Assessable Unit\xe2\x80\x99s management control review, which delayed the next review\n        even further. As of February 2009, the management control review for the\n        Accounts Payable Assessable Unit is scheduled for completion on June 3, 2009.\n\nThe delays occurred because BFO management prioritized other work ahead of the\nmanagement control review for the Accounts Payable Assessable Unit.\n\n\n8\n  \xe2\x80\x9cAssessment of the Federal Managers\xe2\x80\x99 Financial Integrity Act Process at the Railroad Retirement\nBoard,\xe2\x80\x9d OIG Report No. 07-05, April 30, 2007, pages 7 through 9.\n9\n  \xe2\x80\x9cManagement Control Guide,\xe2\x80\x9d BFO, December 2007.\n10\n   \xe2\x80\x9cManagement Control Guide,\xe2\x80\x9d BFO, December 2007, page 4-1.\n11\n   \xe2\x80\x9cManagement Control Guide,\xe2\x80\x9d BFO, December 2007, page 3-7.\n\n\n                                                  12\n\x0cInfrequent management control reviews increase the risk that the control objectives and\ntechniques insufficiently address the current work environment, policies and\nprocedures. If poorly designed or ineffective controls are not detected, financial\nmisstatements or fraudulent transactions may occur.\n\nRecommendation\n\nWe recommend that BFO:\n\n     11. complete a management control review and a related risk assessment for the\n         Accounts Payable Assessable Unit, using current data, according to the MCRC\xe2\x80\x99s\n         current policy, without further delay.\n\nManagement\xe2\x80\x99s Response\n\nBFO plans to complete a management control review and related risk assessment for\nthe Accounts Payable Assessable Unit by the end of the current fiscal year.\n\n\nOpportunity to Reduce Exposure of Employee SSNs\n\nThe RRB could reduce exposure of employee social security numbers (SSNs) by\nrevising a form commonly used to authorize reimbursement of employee medical\nexpenses.\n\nOMB has directed agencies to eliminate the unnecessary use of SSNs. 12 The Office of\nPersonnel Management (OPM) has recommended that agencies minimize the use of\nFederal employee SSNs as an identifier and strengthen protective measures when\npersonally identifiable information (PII) is used. 13 To implement these directives, the\nRRB has published an administrative directive requiring periodic privacy-related\nreviews, including an annual review of agency progress in reducing the unnecessary\nuse of SSNs. 14\n\nDuring our audit we observed that the RRB collects employee SSNs on Form G-753\n\xe2\x80\x9cApplication for Reimbursement of Medical and/or Eye Examination Fees\xe2\x80\x9d which is used\nto request reimbursement of expenses under the RRB\xe2\x80\x99s Physical and Eye Examination\nProgram. Form G-753 is submitted to the Employee Health Service for verification of\neligibility and then forwarded to BFO for payment. Our review of the form indicates that\nthe SSN is not necessary for processing.\n\nAlthough BFO uses SSNs to identify employees in FFS, the mainframe computer\n12\n   \xe2\x80\x9cSafeguarding Against and Responding to the Breach of Personally Identifiable Information,\xe2\x80\x9d OMB\nM-07-16, May 22, 2007.\n13\n   \xe2\x80\x9cGuidance on Protecting Federal Employee Social Security Numbers and Combating Identity Theft,\xe2\x80\x9d\nOPM, June 18, 2007.\n14\n   \xe2\x80\x9cManagement of Information Privacy for Individuals,\xe2\x80\x9d RRB Administrative Circular IRM-2, September 3,\n2008.\n\n\n                                                  13\n\x0cfinancial management system, it is not necessary to display the SSN on the form itself.\nContinued collection of SSNs on Form G-753 creates an unnecessary risk of identity\ntheft and a related need to provide secure storage and limit access which would not\nexist if the form did not include an SSN.\n\nPrior OIG recommendations to strengthen physical security over PII, including SSNs are\npending. 15 Further evaluation of physical security is outside the scope of this review.\n\nRecommendations\n\nWe recommend that:\n\n     12. the Office of Administration implement a revised Form G-753 that does not\n         require the employees\xe2\x80\x99 SSNs; and\n     13. BFO implement procedures that will permit them to process Form G-753 without\n         employee SSNs for payment.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Administration concurs with the recommendation and is taking steps to\nrevise Form G-753 so that it no longer requires employees\xe2\x80\x99 SSNs.\n\nBFO responded that they are able to process Form G-753 without employee SSNs.\n\n\nPolicies and Procedures Need Improvement\n\nPolicies and procedures for accounts payable and related matters need improvement to\nensure continuity of operations in accordance with management\xe2\x80\x99s directives.\n\nControl activities help ensure that management\xe2\x80\x99s directives are carried out. 16 Internal\ncontrols and all transactions and other significant events need to be clearly documented\nand the documentation should be readily available for examination. 17 These controls\ninclude policies and procedures to carry out organizational objectives, such as planning,\nproductivity, programmatic, quality, economy, efficiency and effectiveness objectives.\nManagement uses these controls to provide reasonable assurance that the entity (1)\nachieves its mission, (2) maintains quality standards, and (3) does what management\ndirects it to do. 18\n\n\n\n15\n   \xe2\x80\x9cAudit of Controls to Safeguard Sensitive Personally Identifiable Information,\xe2\x80\x9d OIG Report No. 07-09,\nSeptember 27, 2007, Recommendation 1, page 9.\n16\n   \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d GAO/AIMD-00-21.3.1 (11/99) page 11.\n17\n   \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d GAO/AIMD-00-21.3.1 (11/99) page 15.\n18\n   GAO/PCIE \xe2\x80\x9cFinancial Audit Manual,\xe2\x80\x9d Section 260, \xe2\x80\x9cIdentify Risk Factors,\xe2\x80\x9d GAO-08-585G, Volume 1,\nJuly 2008, page 260-3.\n\n\n                                                    14\n\x0cComprehensive policies and procedures for accounts payable should describe the\nvarious activities required to process payments from receipt through the issuance of\nfinal payment. Such documentation would reference FFS documentation,\nadministrative circulars and other authorities as necessary to provide a complete,\nunderstandable basis for action.\n\nDuring our audit we observed that the documented policies and procedures do not\ninclude all of the activities presently performed by BFO staff. In addition, we noted that\nBFO staff does not perform certain control activities which should be a routine part of\naccounting for payables. For example:\n\n          \xe2\x80\xa2   Procedures currently in use for processing the payment of government\n              purchase card bills have not been formalized.\n          \xe2\x80\xa2   Two employees had independently prepared different written instructions\n              describing procedures that they followed in performing the same work.\n          \xe2\x80\xa2   Procedures currently in use for processing the payment of centrally billed\n              travel cards have not been formalized.\n          \xe2\x80\xa2   Existing procedures do not include a periodic search for unrecorded\n              liabilities related to unpaid administrative expense or a process for\n              estimating such liabilities.\n\nAdditionally, during our review, it came to our attention that other policies and\nprocedures administered by the Office of Administration also needed improvement. For\nexample:\n\n          \xe2\x80\xa2   The Administrative Circular OA-14 was recently updated, but it does not\n              contain information on expedited payments or procedures for early\n              payment.\n          \xe2\x80\xa2   Basic Board Order 5, in its coverage of severable contracts, does not\n              include any references to the appropriations laws, regulations and\n              circulars such as 41 U.S.C. \xc2\xa7 253 and GAO\xe2\x80\x99s Principles of Federal\n              Appropriations Law (the \xe2\x80\x9cRed Book\xe2\x80\x9d).\n\nIn general, responsible managers did not recognize the need for more detailed policies\nand procedures. The BFO accounting guide which describes policies and procedures\nfor other accounting responsibilities does not include accounts payable activities.\nAlthough management has distributed some written work instructions, when asked\nabout current practice, they frequently refer to the FFS documentation. FFS\ndocumentation is not a substitute for formalized, written and comprehensive policies\nand procedures.\n\nAs a result, management has not ensured that transactions will be executed in\naccordance with management\xe2\x80\x99s directives. For example, during our audit, we found two\ninstances where payments were not properly approved because certifiers did not sign\n\n\n                                            15\n\x0cand/or date the invoices when they approved them for payment. We noted that some\ncertifiers used a stamp that had a space for a signature, but no space for a date; while\nother certifiers used no stamp at all and did not even sign the invoice. We also found\none instance where the monitoring of Treasury\xe2\x80\x99s payment was not documented with an\nannotation on the invoice. When policies, procedures and practices are not\ndocumented, are unavailable, outdated, or inconsistent, accounting controls may be\nbypassed and control weaknesses may go undetected. In addition, lack of\ndocumentation undermines an organization\xe2\x80\x99s ability to ensure continuity of operations in\nthe event of staff changes.\n\nRecommendations\n\nWe recommend that BFO:\n\n   14. review, update and finalize policies and procedures for accounts payable\n       activities.\n\nWe recommend that the Office of Administration:\n\n   15. review and update the identified policies and procedures related to the\n       procurement process.\n\nManagement\xe2\x80\x99s Response\n\nBFO plans to review, update, and finalize policies and procedures for accounts payable\nactivities.\n\nThe Office of Administration has agreed to update Administrative Circular OA-14 to\ncontain information on expedited payments or procedures for early payment. They will\nalso work with legal counsel to update Basic Board Order 5 to include references to\nappropriate laws or regulations in the coverage of severable contracts.\n\n\nElectronic Receivers\n\nThe manual process currently used to record the receipt and acceptance of goods and\nservices is often inconsistent and incomplete. Increased use of electronic receivers\nwould improve accounts payable processing.\n\nThe FFS was designed to comply with Federal accounting standards and requirements\nfor Federal financial management systems. The electronic receiver is an FFS feature\nthat may be used to record the receipt and acceptance of goods and services and\nfacilitates the following:\n\n   \xe2\x80\xa2   provides an easily traceable audit trail;\n\n\n\n\n                                             16\n\x0c     \xe2\x80\xa2   confirms the identity of the individual who is recording the receipt and acceptance\n         of the goods and services (certifier);\n     \xe2\x80\xa2   authenticates the certifier\xe2\x80\x99s signature;\n     \xe2\x80\xa2   automatically records the date of acceptance for goods and services in the\n         system;\n     \xe2\x80\xa2   automatically creates an accrued liability; 19\n     \xe2\x80\xa2   ensures the completeness of liabilities for financial reporting; and\n     \xe2\x80\xa2   saves time and effort for all employees in the purchasing life cycle by eliminating\n         steps usually required in the manual certification process.\n\nThe agency does not currently require utilization of electronic receivers. Instead, a\nmanual procedure is often used. RRB Administrative Circular OA-14 (which outlines the\nmanual procedure for the receipt and acceptance of goods and services and the\nresulting certification for payment) requires that invoices first be date stamped and\nforwarded to the designated person in the receiving bureau/office for certification. It\nfurther states that the employee shall certify the invoice as proper for payment by\nincluding the dollar amount for payment, the PC or SO number, their signature and the\ndate accepted. 20\n\nDuring our audit, we observed the following:\n\n     \xe2\x80\xa2   The date of acceptance for three accounts payable transactions (ranging from\n         $160,000 to $1,025,180) was not clear. This occurred because the transactions\n         were processed without electronic receivers and the date of acceptance was not\n         documented on the invoice during the manual certification process.\n\nWe also observed the following:\n     \xe2\x80\xa2   An additional 1,102 non-medical payments totaling $2,485,141 were also made\n         without a receiver. The considerable volume of transactions represented a\n         missed opportunity to save extensive time and effort by the employees in the\n         purchasing life cycle if electronic receivers had been used.\n     \xe2\x80\xa2   The year-end request for managers to identify any accruals not already on the\n         agency\xe2\x80\x99s books did not consider accounts payable transactions. Had electronic\n         receivers been used, the need to search for unrecorded accounts payable-\n         related liabilities at year-end could have been minimized as any applicable\n         accruals would have been automatically recorded.\n\n\n19\n   Accruals are used to record liabilities created when goods or services are received but before payment\nis authorized. Accruals are used to make final accounting reports more accurate by ensuring the\ncompleteness of reporting for liabilities.\n20\n  \xe2\x80\x9cProcurement of Goods and Services,\xe2\x80\x9d RRB Administrative Circular OA-14, January 24, 2008, pages\n14 and 16.\n\n\n                                                   17\n\x0cThe manual invoice certification process used in lieu of the electronic receiver falls short\nin that it:\n\n   \xe2\x80\xa2   does not always provide for an easily traceable audit trail;\n   \xe2\x80\xa2   does not provide for the identification of approved certifiers;\n   \xe2\x80\xa2   does not authenticate certifiers\xe2\x80\x99 signatures;\n   \xe2\x80\xa2   does not always record the actual date of acceptance;\n   \xe2\x80\xa2   creates potentially missed accruals which can result in inaccurate financial\n       statements; and\n   \xe2\x80\xa2   creates unnecessary work for employees in the purchasing life cycle.\n\nAgency procedures do not stress the importance of the electronic receiver as a control\nin the purchasing and financial reporting process. The use of an electronic receiver can\nensure that payments are not made when goods or services have not been received, or\nwhen they are inadequate or defective. It also acts as a deterrent against fraudulent\ntransactions. When receivers are not entered on FFS, the related expense may not be\nrecorded in the proper accounting period, potentially understating both the\nadministrative expense and liabilities on the agency\xe2\x80\x99s income statement and balance\nsheet, respectively.\n\nThe use of electronic receivers would strengthen all of the above controls and help to\nensure the completeness and accuracy of the liabilities reported in the agency\xe2\x80\x99s\nfinancial statements.\n\nRecommendation\n\nWe recommend that BFO:\n\n   16. work with the Executive Committee to maximize the use of electronic receivers\n       for accounts payable transactions and promote the importance of the electronic\n       receiver as an additional control in the purchasing and financial reporting\n       process; or improve the manual certification process to include all of the controls\n       that are provided by the electronic receiver.\n\nManagement\xe2\x80\x99s Response\n\nBFO has discussed this recommendation with the Director of Administration and they\nnote that he plans to promote the use of electronic receivers to the Executive\nCommittee.\n\n\n\n\n                                             18\n\x0cOpportunity for Improvement - Timely Payment\n\nThe timeliness of payments to vendors and contractors could be improved.\n\nThe RRB\xe2\x80\x99s vendors and contractors expect the government to meet its obligations for\ntimely and accurate payment for goods and services received. Procurement and\nprogram officials have responsibility for timely inspection and acceptance of goods and\nservices. BFO works with procurement and program officials to review and process\npayment vouchers and/or invoices. Payments should be made within 30 days after the\nlatter of the receipt and acceptance of the goods and services, or the invoice date, (if\nthe receipt and acceptance was not within seven days of the invoice) in accordance with\nnormally accepted business practices and the agency\xe2\x80\x99s policies and procedures. 21\n\nDuring our audit, we identified one payment in our non-statistical sample of five high-\nvalue payment transactions, valued at $1,025,180 that was not processed on a timely\nbasis. This late payment resulted in the agency paying twelve days of interest totaling\n$1,964.93. The delay happened because the invoice was not immediately sent to BFO,\nbut was sent to, and held in, other bureaus before being sent to BFO for payment.\n\nIn the statistical sample, we identified two payments which were also not processed\ntimely. However, because these two payments were within the acceptance error of the\nstatistical sample and minimal interest was paid, we only bring this to the agency\xe2\x80\x99s\nattention as an opportunity to make further improvements in timely payment. Again, the\ncause of the delay in these two payments was that the invoices were not sent to BFO\ntimely.\n\nLack of timely payment can result in the agency\xe2\x80\x99s liability for the payment of interest.\nUnnecessary interest paid takes away from agency financial resources and does not\nsupport the RRB\xe2\x80\x99s strategic plan of effectiveness, efficiency and the security of\noperations. It also deters from the agency\xe2\x80\x99s overall goal of serving as responsible\nstewards of the trust funds and financial resources under agency control.\n\nRecommendation\n\nWe recommend that BFO:\n\n     17. periodically re-communicate the importance of:\n\n        \xe2\x80\xa2   sending invoices directly to BFO;\n        \xe2\x80\xa2   timely inspection and acceptance of goods and services;\n        \xe2\x80\xa2   timely return of certified invoices back to BFO for payment processing; and\n        \xe2\x80\xa2   avoiding unnecessary interest charges which directly impact the bureaus\xe2\x80\x99\n            budgets.\n21\n  \xe2\x80\x9cProcurement of Goods and Services,\xe2\x80\x9d RRB Administrative Circular OA-14, January 24, 2008, pages\n12 and 13.\n\n\n                                                19\n\x0cManagement\xe2\x80\x99s Response\n\nBFO plans to periodically re-communicate the importance of this process.\n\n\nOpportunity for Improvement - Prompt Payment Quality Assurance Reviews\n\nQuality assurance reviews for monitoring compliance with the Prompt Payment Act\nwere not completed timely.\n\nThe Prompt Payment Act requires establishment of: 1) procedures monitoring the\ncauses of late payments and any interest penalties incurred, taking necessary\ncorrective action and handling inquiries; 2) effective internal control systems; and 3)\nperiodic quality control validation to be conducted no less frequently than once annually\nfor payment to vendors. The intent of the quality control process is to establish that\ncontrols are effective and that processes are efficient. A quality control program is to be\nestablished in order to quantify payment performance, qualify corrective actions, aid\ncash management decision making and estimate payment performance. 22\n\nTo ensure compliance with the OMB\'s Prompt Payment requirements, BFO established\nquarterly quality assurance reviews to confirm the validity of payments entered into FFS\nby BFO\'s accounts payable staff. One of these reviews validates a statistical sample of\ncurrent payment vouchers for compliance with the Prompt Payment Act.\n\nDuring our audit, we observed that as of August 2008, BFO had completed only one of\ntheir quality assurance reviews of payments subject to the Prompt Payment Act. 23 BFO\nmanagement explained that they had only completed one prompt payment quality\nassurance review because the agency had a shortage of experienced financial\nmanagement staff to conduct these reviews and the existing financial management staff\nhad been concentrating on tasks with a higher priority.\n\nDuring our audit, our review of a statistical sample of 105 medical and non-medical\npayments and a non-statistical sample of five high-value payment transactions found no\ninstances of non-compliance with the Prompt Payment Act. However, we found four\ninstances where the measurement dates were incorrect. These incorrect measurement\ndates did not result in late payments or the payment of interest. We do believe,\nhowever, that these instances of incorrect measurement dates or other related errors\ncould be minimized with timely monitoring, such as the quality assurance reviews\nmentioned above.\n\n\n\n\n22\n   \xe2\x80\x9cPrompt Payment Final Rule,\xe2\x80\x9d 5 CFR Part 1315.3 (a) and (b), (31 U.S.C. Chapter 39), OMB/Federal\nRegister Volume 64 No. 188, September 29, 1999 page 52588.\n23\n   \xe2\x80\x9cQuality Assurance Review of Payments Subject to the Prompt Payment Act Processed During the 1st\nQuarter of Fiscal Year 2008,\xe2\x80\x9d BFO, August 25, 2008.\n\n\n                                                20\n\x0cRecommendation\n\nWe recommend that BFO:\n\n   18. consider prioritizing the quality assurance reviews of payments subject to the\n       Prompt Payment Act to ensure their timely completion.\n\nManagement\xe2\x80\x99s Response\n\nBFO has responded that they have prioritized and completed the quality assurance\nreviews of payments subject to the Prompt Payment Act for the second, third, and fourth\nquarter of FY 08 on November 21, 2008, December 19, 2008, and February 27, 2009,\nrespectively.\n\nOffice of Inspector General\xe2\x80\x99s Comments on Management\xe2\x80\x99s Response\n\nWith respect to BFO\xe2\x80\x99s proposed implementation plan, we are concerned that it will not\nachieve the intent of the recommendation because the delay in the completion of these\nreviews undermines their usefulness as a tool for timely program improvement.\n\n\n\n\n                                           21\n\x0c                                            APPENDIX I\n\n                      Statistical Sampling Methodology and Results\n\n\nThis appendix presents the methodology and results of our statistical sampling tests of\nnon-benefit, non-payroll payments. 24\n\nSample Objective\n\nThe sampling objective was to determine if internal controls for processing and\nrecording vendor and contractor payments timely and accurately are operating and\neffective.\n\nSampling Unit\n\nThe sampling unit is defined as one accounts payable payment, which can include\neither a payment voucher (PV) or a direct disbursement (DD).\n\nSampling Universe\n\nThe sampling universe consisted of 4,769 payments totaling $5,711,353.55 for the\nperiod October 1, 2007 through December 31, 2007, which were downloaded\nfrom FFS by BFO and provided to the OIG. Employee payments for travel were\nspecifically excluded.\n\nSample Size\n\nWe randomly selected 105 accounts payable transactions. These 105 transactions\nconsisted of 77 payments made to vendors who provided medical examinations and\nconsultative opinions in support of the Office of Program\xe2\x80\x99s Disability, Sickness and\nUnemployment Benefits Division\xe2\x80\x99s (DSUBD\xe2\x80\x99s) medical claims. These payments were\nprocessed by the DSUBD. The other 28 transactions were non-medical payments\nprocessed by BFO.\n\nSample Selection Method\n\nWe used one-step attribute acceptance sampling and tested each of the 105 randomly\nselected accounts payable payment transactions for compliance and operation of\ninternal controls. Attribute sampling provides for compliance testing of policies,\nprocedures and practices to determine adequacy of internal controls or operational\nefficiency. Acceptance sampling provides for the pass/fail testing of the universe based\non the number of errors expected.\n\n\n\n24\n   We used non-statistical sampling to supplement our statistical sampling of high-value accounts payable\n(transactions greater than $100,000). The payments in this additional sample ranged between $160,000\nand $1,025,180. See Appendix II.\n\n\n                                                   22\n\x0c                                            APPENDIX I\n\n                      Statistical Sampling Methodology and Results\n\n\nThe Acceptance Number of Errors\n\nThe acceptance number of errors for this sample was two.\n\nConfidence Level\n\nThe confidence level of ninety percent represents the reliability of our estimate and the\ndegree of assurance that we have in our estimate.\n\nCritical Error Rate\n\nThe critical error rate is five percent and represents the maximum error rate in the\nuniverse that is considered acceptable by the auditor.\n\nSample Results\n\nWe tested the 105 randomly selected payments for the following attributes related to\nboth administration and processing controls and compliance with the Prompt Payment\nAct.\n\nThe details of the sample evaluation for administration and processing controls follow.\n\n\n\n\n                                                                                                       Exceptions\n                                                                                          Exceptions\n                                                                                 Tested\n\n\n\n                                                                                            Non-\nAdministration and Processing Controls\n\n\n\nSupporting Documentation\n\n   Medical payments were considered to have complete supporting\n   documentation if the files contained ALL of the following items required by\n   the Office of Program\xe2\x80\x99s policies and procedures:\n   \xe2\x80\xa2 FAME medical exam order screen print or medical opinion request                                                1\n   \xe2\x80\xa2 FAME payment screen that references the order, the exam ordered                                                2\n       (applicable for medical exams), receipt, acceptance and payment\n       approvals (electronically signed and dated)\n   \xe2\x80\xa2 Accepted exam/opinion signed and dated by a medical professional                                               1\n                                                     Medical Payments Total          77         73                  4\n   Non-medical payments were considered to have complete supporting\n   documentation if the files contained an approved invoice, which was both\n   signed and dated as required by the agency\xe2\x80\x99s policies and procedures:\n   \xe2\x80\xa2 Signed                                                                                                 4\n   \xe2\x80\xa2 Dated                                                                                                  4\n                                               Non-Medical Payments Total         28            20          8\n                                                                 Grand Total     105            93         12\n\n\n\n\n                                                  23\n\x0c                                             APPENDIX I\n\n                       Statistical Sampling Methodology and Results\n\n\n\n\n                                                                                                        Exceptions\n                                                                                           Exceptions\n                                                                                  Tested\n\n\n\n                                                                                             Non-\nAdministration and Processing Controls\n\n\n\nPaid the Correct Amount\n\n   Medical payments were considered accurate if the amount paid agreed to\n   contracted amount as required by the agency\xe2\x80\x99s policies and procedures.\n                                                  Medical Payments Total              77         77                  0\n   Non-medical payments were considered accurate if the amount paid\n   agreed to the approved invoice amount as required by the agency\xe2\x80\x99s\n   policies and procedures.\n                                            Non-Medical Payments Total             28          28                    0\n                                                               Grand Total        105         105                    0\nProper Payment Approval\n\n   Medical payments were considered properly approved if supporting\n   documentation included a dated FAME screen with the user identified as\n   required by the Office of Program\xe2\x80\x99s policies and procedures.\n                                                    Medical Payments Total            77         77                  0\n   Non-medical payments were considered properly approved if the\n   supporting documentation maintained in BFO included a signed invoice\n   according to their normal business practices.\n                                               Non-Medical Payments Total          28          28                    0\n                                                                Grand Total       105         105                    0\nProper Authorization\n\n   Both Medical and Non-Medical payments were considered properly\n   authorized if they were approved by an appropriate individual acting\n   within the scope of their authority as required by the agency\xe2\x80\x99s policies\n   and procedures.\n                                                                  Grand Total     105         105                    0\nGoods and Services Were Appropriate to the Agency\xe2\x80\x99s Mission\n\n   Both Medical and Non-Medical payments were considered acceptable if\n   the goods and services obtained were appropriate to the agency\xe2\x80\x99s\n   mission in accordance with the purpose statute of appropriations law. 25\n                                                                Grand Total       105         105                    0\nThe Receipt of Goods and Services Was Acknowledged\n\n     Both Medical and Non-Medical payments were considered acceptable if\n     the receipt and acceptance of goods and services were appropriately\n     acknowledged as required by the agency\xe2\x80\x99s policies and procedures.\n                                                                Grand Total       105         105                    0\n\n\n\n25\n  31 U.S.C. \xc2\xa71301(a), the purpose statute of appropriations law requires that obligations/expenditures be\nauthorized and that \xe2\x80\x9cAppropriations shall be applied only to the objects for which the appropriations were\nmade except as otherwise provided by law.\xe2\x80\x9d\n\n\n                                                   24\n\x0c                                             APPENDIX I\n\n                       Statistical Sampling Methodology and Results\n\n\n\n\n                                                                                                        Exceptions\n                                                                                           Exceptions\n                                                                                  Tested\n\n\n\n                                                                                             Non-\nAdministration and Processing Controls\n\n\n\nTimely Payment\n\n   Both Medical and Non-Medical payments were considered timely if they\n   were made within 30 days after the latter of the receipt and acceptance of\n   the goods and services or the invoice date, (if the receipt and acceptance\n   was not within seven days of the invoice) in accordance with normally\n   accepted business practices and the agency\xe2\x80\x99s policies and procedures.\n                                                     Medical Payments Total                                          0\n                                               Non-Medical Payments Total                                            2\n                                                                  Grand Total      105        103                    2\nAdequate Monitoring and Treasury Annotation 26\n\n     Non-Medical payments were considered adequately monitored if the\n     invoice was properly annotated with the Treasury processing data in\n     accordance with the agency\xe2\x80\x99s normal business practices.\n                                                Non-Medical Payments Total                                           1\n                                                                 Grand Total          28         27                  1\n\nConclusion: The transaction-based provisions for documenting the approval of medical\nand non-medical payments have not been implemented as designed and are not\neffective. During the audit we noted 12 instances where the supporting documentation\nwas not adequate to support payment. With respect to the other controls and attributes\ntested, we can conclude with 90 percent confidence that internal controls were\noperating at least 95 percent of the time and payment accuracy was at least 95%.\n\nWe also identified instances where procedures and practices for timely payment and\nadequate monitoring and Treasury annotation were not followed. However, these\ninstances were infrequent and at or below the acceptance number of errors.\n\n\n\n\n26\n  Only 28 of the 105 transactions in our sample were subject to this requirement due to different\nprocesses used by DSUBD and BFO.\n\n\n                                                   25\n\x0c                                             APPENDIX I\n\n                       Statistical Sampling Methodology and Results\n\n\nThe details of the sample evaluation for compliance with the Prompt Payment Act\nfollow.\n\n\n\n\n                                                                                                        Exceptions\n                                                                                           Exceptions\n                                                                                  Tested\n\n\n\n                                                                                             Non-\n                    Compliance with Prompt Payment Act\n\n\n\nInterest Accuracy\n\n   Both medical and non-medical payments were considered to have\n   accurate interest applied if the effective interest rate was paid for the\n   appropriate period.\n                                                                    Grand Total   105         105                    0\nPrompt Payment Tracking\n\n    Both medical and non-medical payments were considered to be in\n    compliance if all vendors subject to the Prompt Payment Act were being\n    tracked in FFS.\n                                                                Grand Total       105         105                    0\nTrigger/Prompt Payment Date Accuracy\n\n    Medical payments were considered to be acceptable if the trigger date\n    was the date of acceptance and if the prompt payment date was 30 days\n    after the trigger date.\n                                                    Medical Payments Total            77         76                  1\n    Non-medical payments were considered to be acceptable if the trigger\n    date was the invoice date or the date of acceptance, if within seven days\n    of the invoice and if the prompt payment date was 30 days after the\n    trigger date.\n                                                Non-Medical Payments Total         28          25                    3\n                                                                   Grand Total    105         101                    4\nEarly Pay\n\n    Both medical and non-medical payments were considered compliant if\n    payments that were paid earlier than seven days prior to the due date\n    were appropriately approved.\n                                                                 Grand Total      105         105                    0\n\nConclusion: We conclude that the agency was generally compliant with the Prompt\nPayment Act. However, the random statistical sample did disclose four errors related to\nthe identification and implementation of measurement dates, such as the trigger date\nand the prompt payment date. These exceptions were infrequent and none of them\nresulted in late payments. We brought the specifics of these exceptions to\nmanagement\xe2\x80\x99s attention during the audit.\n\n\n\n\n                                                    26\n\x0c                                     APPENDIX II\n\n                Non-Statistical Sampling Methodology and Results\n\nThis appendix presents the methodology and results of our non-statistical sampling\ntests of high-value non-benefit, non-payroll payments.\n\nSample Objective\n\nThe sampling objective was to determine if internal controls for the accurate and timely\nprocessing and recording of high-value non-benefit, non-payroll payments are operating\nand effective.\n\nSampling Unit\n\nThe sampling unit is defined as one accounts payable payment greater than $100,000,\nwhich can include either a payment voucher (PV) or a direct disbursement (DD).\n\nSampling Universe\n\nThe sampling universe consisted of 4,769 payments totaling $5,711,353.55 for the\nperiod October 1, 2007 through December 31, 2007, which were downloaded\nfrom FFS by BFO and provided to the OIG. Employee payments for travel were\nspecifically excluded.\n\nSample Size\n\nWe judgmentally selected all five of the high-value accounts payable payment\ntransactions that were in the universe for review. These five payment transactions\ntotaled $1,963,729.\n\nSample Selection Method\n\nWe used judgmental sampling to select high-value payment transactions greater than\n$100,000 to determine overall compliance and operation of internal controls, including\napproval controls for high-value items and segregation of duties controls.\n\nSample Results\n\nWe tested five high-value payment transactions selected from a population of 4,769 for\nthe following attributes related to both administration and processing controls and\ncompliance with the Prompt Payment Act.\n\nThe details of the sample evaluation for administration and processing controls follow.\n\n\n\n\n                                           27\n\x0c                                             APPENDIX II\n\n                    Non-Statistical Sampling Methodology and Results\n\n\n\n\n                                                                                                            Exceptions\n                                                                                               Exceptions\n                                                                                  Tested\n\n\n\n                                                                                                 Non-\nAdministration and Processing Controls\n\n\n\nSupporting Documentation\n\n    High-value payment transactions were considered to have complete\n    supporting documentation if the files contained an approved invoice,\n    which was both signed and dated, as required by the agency\xe2\x80\x99s policies\n    and procedures. In the absence of an invoice, we looked for additional\n    documentation which would support the amount paid in accordance with\n    normally accepted business practices.\n    \xe2\x80\xa2 Signed/Dated                                                                                                       1\n    \xe2\x80\xa2 Lacked both an invoice or any other documentation to support the                                                   1\n        amount paid\n                                   High-value Payment Transactions Total                   5           3                 2\nPaid the Correct Amount\n\n   High-value payment transactions were considered accurate if the amount\n   paid agreed to the approved invoice amount as required by the agency\xe2\x80\x99s\n   policies and procedures.\n                                  High-value Payment Transactions Total                    5           5                 0\nProper Payment Approval\n\n   High-value payment transactions were considered properly approved if\n   the supporting documentation maintained in BFO included an invoice that\n   was approved for payment with both a signature and the date of approval,\n   in accordance with BFO\xe2\x80\x99s normal business practices.\n                                 High-value Payment Transactions Total                     5           3                 2\nProper Authorization\n\n   High-value payment transactions were considered properly authorized if\n   they were approved by an appropriate individual acting within the scope\n   of their authority as required by the agency\xe2\x80\x99s policies and procedures.\n                                     High-value Payment Transactions Total                 5           4                 1\nGoods and Services Were Appropriate to the Agency\xe2\x80\x99s Mission\n\n   High-value payment transactions were considered acceptable if the\n   goods and services obtained were appropriate to the agency\xe2\x80\x99s mission in\n   accordance with the purpose statute of appropriations law. 27\n                                 High-value Payment Transactions Total                     5           5                 0\nThe Receipt of Goods and Services Was Acknowledged\n\n     High-value payment transactions were considered acceptable if the\n     receipt and acceptance of goods and services were appropriately\n     acknowledged as required by the agency\xe2\x80\x99s policies and procedures.\n                                   High-value Payment Transactions Total                   5           5                 0\n\n27\n  31 U.S.C. \xc2\xa71301(a), the purpose statute of appropriations law requires that obligations/expenditures be\nauthorized and that \xe2\x80\x9cAppropriations shall be applied only to the objects for which the appropriations were\nmade except as otherwise provided by law.\xe2\x80\x9d\n\n\n                                                   28\n\x0c                                             APPENDIX II\n\n                    Non-Statistical Sampling Methodology and Results\n\n\n\n\n                                                                                                             Exceptions\n                                                                                                Exceptions\n                                                                                   Tested\n\n\n\n                                                                                                  Non-\nAdministration and Processing Controls\n\n\n\nTimely Payment\n\n   High-value payment transactions were considered timely if they were\n   made within 30 days after the latter of the receipt and acceptance of the\n   goods and services or the invoice date (if the receipt and acceptance was\n   not within seven days of the invoice) in accordance with normally\n   accepted business practices and the agency\xe2\x80\x99s policies and procedures.\n                                   High-value Payment Transactions Total                    5           4                 1\nAdequate Monitoring and Treasury Annotation 28\n\n   High-value payment transactions were considered adequately monitored\n   if the invoice was properly annotated with the Treasury processing data in\n   accordance with the agency\xe2\x80\x99s normal business practices.\n                                   High-value Payment Transactions Total                    4           4                 0\nSegregation of Duties/Access Profiles\n\n     High-value payment transactions were considered to have adequate\n     segregation of duties if key duties and responsibilities were divided or\n     segregated among different people. FFS security profiles can be\n     configured to facilitate and ensure the proper segregation of duties.\n     \xe2\x80\xa2 Multiple User ID\xe2\x80\x99s                                                                                                 1\n     \xe2\x80\xa2 FFS configurations allowed one user to perform multiple steps in the                                               3\n         purchasing process\n                                     High-value Payments Transactions Total                 5           1                 4\n\nConclusion: Internal controls over high-value payment transactions have not been\nimplemented as designed. We found issues with supporting documentation, proper\npayment approval, proper authorization, timely payment, segregation of duties and\naccess profiles. Because we found issues with these high-value payment transactions,\nwe believe that additional compensating controls should be considered.\n\n\n\n\n28\n  Only 4 of the 5 transactions in our sample were subject to this requirement due to different practices\nused by BFO to process payment vouchers versus direct disbursements.\n\n\n                                                   29\n\x0c                                             APPENDIX II\n\n                     Non-Statistical Sampling Methodology and Results\n\nThe details of the sample evaluation for compliance with the Prompt Payment Act\nfollow.\n\n\n\n\n                                                                                                            Exceptions\n                                                                                               Exceptions\n                                                                                  Tested\n\n\n\n                                                                                                 Non-\n                    Compliance with Prompt Payment Act\n\n\n\nInterest Accuracy\n\n   High-value payments were considered to have accurate interest applied if\n   the effective interest rate was paid for the appropriate period.\n                                    High-value Payment Transactions Total                  5           5                 0\nPrompt Pay Tracking\n\n    High-value payments were considered to be in compliance if all vendors\n    subject to the Prompt Payment Act were being tracked in FFS.\n                                  High-value Payment Transactions Total                    5           5                 0\nTrigger/Prompt Payment Date Accuracy\n\n    High-value payments were considered to be acceptable if the trigger date\n    was the invoice date or the date of acceptance, if within seven days of the\n    invoice and if the prompt pay date was 30 days after the trigger date.\n                                    High-value Payment Transactions Total                  5           5                 0\nEarly Pay\n\n    High-value payments were considered compliant if payments that were\n    paid earlier than seven days prior to the due date were appropriately\n    approved.\n                                    High-value Payment Transactions Total                  5           5                 0\n\nConclusion: With regards to the non-statistical sample of high-dollar value payments,\nwe identified no instances of non-compliance with the Prompt Payment Act.\n\n\n\n\n                                                    30\n\x0c                                                                       Appendix III\n                UNITED STATES GOVERNMENT                                          FORM G-116f [I-82l\n                                                                  RAILROAD RETIREMENT BOARD\n                MEMORANDUM\n\n                                                                  MAR 30 2009\nTO       ..   Letty Benjamin Jay\n              Assistant Inspector General for Audit\n\n\nFROM\t         John M. Walter    r//4.#/~\n              Chief of Accounting, Treasury and Financial Systems. /\' / .\n              THROUGH: Kenneth P. Boehne            .-;;;t/ ...-t,,/~\n                            Chief Financial Officer ~ \xc2\xad\n\n\nSUBJECT:\t OIG Draft Report - Audit of Internal Control Over Accounts Payable\n\n\n\nThank you for the opportunity to review and comment on the above draft report dated\nMarch 16,2009. We are pleased that your review found no instances of\nnon-compliance with the Prompt Payment Act. Our comments on the recommendations\nare as follows:\n\nRecommendations\n\nWe recommend that BFO:\n\n      1.\t identify all individuals who have been awarded FFS privileges that are\n          incompatible with proper segregation of duties.\n\n      2.\t work with agency management to eliminate FFS user privileges that\n          violate the principles of segregation of duties.\n\n          Regarding recommendations #1 and #2, each year, BFO performs an FFS\n          security audit requesting agency management to review security profile\n          information for FFS users in their organization and provide us with any\n          changes, additions, or deletions. The responses and documentation of\n          actions taken are then provided to the RRB\'s Chief Security Officer. For the\n          fiscal year 2009 security process, we will ask agency management to identify\n          individuals who have been awarded FFS privileges that are incompatible with\n          proper segregation of duties and eliminate such FFS user privileges.\n          Additional FFS privileges may have been awarded to users in a given\n          organization due to the small size of that organization, and the organization\n          may have compensating controls. Target date: 9/30/09.\n\n\n\n\n                                         31\n\x0c                                                                 Appendix III\n                                  -2\xc2\xad\n\n\n3.\t develop and maintain a list of designated certifiers, obtain signature\n    cards for these individuals and require that higher dollar hard copy\n    invoices be subject to multiple approvals before they are processed for\n    payment.\n\n   We plan to work with agency management to implement this\n   recommendation. A revision to Administrative Circular OA-14 may be\n   required. Target date: 9/30/09.\n\n4.\t establish more reasonable dollar thresholds for payment approvals to\n    mirror the thresholds used in other steps of the procurement life cycle.\n\n   We plan to review the dollar thresholds for payment approvals and make\n   adjustments as necessary. Target date: 9/30/09.\n\n9.\t ensure that manually certified invoices and other payments include\n    adequate back-up documentation to support the amount paid.\n\n   The Treasury staff plan to discuss this recommendation with your staff and\n   then work to ensure that manually certified invoices and other payments\n   include adequate back-up documentation to support the amount paid. Target\n   date: 12/31/09.\n\n10.\t re-communicate to all certifiers that, to be complete, the manual\n     certification must include a signature, the date of acceptance, reference\n     to the applicable purchase order or service order and the amount\n     approved for payment.\n\n   We plan to re-communicate this information, which is in Administrative\n   Circular OA-14, to certifiers of invoices. Target date: 8/31/09.\n\n11.\t complete a management control review and a related risk assessment\n     for the Accounts Payable Assessable Unit, using current data,\n     according to the MCRC\'s current policy, without further delay.\n\n   Treasury plans to complete a management control review and a related risk\n   assessment for the Accounts Payable Assessable Unit. Target date:\n   9/30/09.\n\n13.\t BFO implement procedures that will permit them to process Forms\n     G-753 without employee SSNs for payment.\n\n   The Treasury section is able to process Forms G-753 without employee\n   SSNs.\n\n\n\n\n                                   32\n\x0c                                                                          Appendix III\n                                          -3\xc2\xad\n\n\n      14.\t review, update and finalize policies and procedures for accounts\n           payable activities.\n\n          The Treasury section plans to review, update, and finalize policies and\n          procedures for accounts payable activities. Target date: 3/31/10.\n\n      16.\t work with the Executive Committee to maximize the use of electronic\n           receivers for accounts payable transactions and promote the\n           importance of the electronic receiver as an additional control in the\n           purchasing and financial reporting process; or improve the manual\n           certification process to include all of the controls that are provided by\n           the electronic receiver.\n\n          We have discussed this recommendation with the Director of Administration.\n          He plans to promote the use of electronic receivers to the Executive\n          Committee.\n\n      17.\t periodically re-communicate the importance of:\n\n          \xe2\x80\xa2\t sending invoices directly to BFO;\n\n          \xe2\x80\xa2\t timely inspection and acceptance of goods and services;\n\n          \xe2\x80\xa2\t timely return of certified invoices back to BFO for payment\n             processing; and\n\n          \xe2\x80\xa2\t avoiding unnecessary interest charges which directly impact the\n             bureaus\' budgets.\n\n          We plan to periodically re-communicate the importance of this process which\n          is in Administrative Circular OA-14. Target date: 9/30109.\n\n      18.\t consider prioritizing the quality assurance reviews of payments subject\n           to the Prompt Payment Act to ensure their timely completion.\n\n          We have considered the quality assurance reviews for payments subject to\n          the Prompt Payment Act and have prioritized them. The first quarter 2008\n          Prompt Pay review was completed on 8/25/08. In addition, the second\n          quarter Prompt Pay review was completed on 11/21/08, the third quarter\n          Prompt Pay review was completed on 12/19/08 and the fourth quarter\n          Prompt Pay review was completed on 2127109.\n\ncc:\t Dave Miller, Finance Officer\n     Kris Garmager, Financial Systems Manager\n     Katrina Page, Financial Management Analyst\n     Hattie Fitzgerald, Financial Compliance Officer\n     Bill Flynn, Executive Assistant\n     Jill Roellig, Management Analyst\n\n\n                                           33\n\x0c                                                                                 Appendix IV\n\n\n                    UNITED STATES GOVERNMENT                                               FORM G-llSf(I-92)\n\n                                                                       RAILROAD RETIREMENT BOARD\n                    MEMORANDUM\n                                                                        MAR 27 2009\n\n\nTO\t        Letty Benjamin Jay\n           Assistant Inspector General for Audit\n\n\nFROM           CatherineA. Leyser\n               Director of\n                                 ~\n                          Assessm\'~rainin\t\n                                           !l~~\n                                             d\n                       Through;Dorothy Isherwo\n                       Director of Programs\n\nSUBJECT: Draft Report-Audit of Internal Control Over Accounts Payable\n\n\n\n\nRecommendation 5\t      The Office of Programs should segregate duties to prevent the same\n                       employee from ordering and accepting medical examinations and\n                       consultative opinions, implement second level approvals on orders and\n                       acceptances of medical examinations and consultative opinions, or\n                       develop an effective compensating control to ensure the agency does not\n                       pay for unnecessary services.\n\n\nOP response\t           The OIG finding of a single examiner having the capability of both\n                       ordering and paying for medical examinations or opinions is an intended\n                       practice. The Office of Programs established this practice because the\n                       requestor is best qualified to detennine if the product received meets the\n                       requestor\'s expectations. To preclude ordering unnecessary services, we\n                       have a control in place to examine medical examination requests that\n                       exceed 5 examinations in a case. In light of the OIG\'s concerns we agree\n                       to develop a plan for an additional compensating control.\n\n                       We will develop a plan by September 30,2009.\n\n\nRecommendation 6\t      The Office of Programs should revise policies and procedures to fully\n                       articulate which job descriptions have authority for ordering medical\n                       examinations and consultative opinions so that the policies and\n                       procedures correspond with actual practice and FAME system utilization.\n\n                                                                              Continued on next page\n\n\n\n\n                                                34\n\x0c                                                                                 Appendix IV\n\n\n\n\nOP response\t        The OIG review observed staff in clerical positions that were entering\n                    medical opinion and medical examination requests; and, there were no\n                    specifications in procedures regarding authority at those positions. The\n                    Office of Programs agrees to revise procedures to include positions such\n                    as field office and headquarters clerks as those given authority to enter\n                    requests. Only claim examiners are authorized to process payments and\n                    there is no change in that authority.\n\n                    We will make the necessary procedure revisions by J ul Y31, 2009.\n\n\nRecommendation 7\t   The Office of Programs should review FAME system programming and\n                    request revisions to ensure that the active user identifier is automatically\n                    captured for each transaction and secured against change.\n\n\nOP response\t        The Office of Programs agrees to review the system to determine when\n                    revisions can be made. Other priorities make it difficult to project when\n                    this can be completed; and, we will make any changes that are possible\n                    when the next program revisions are made to the FAME system. The\n                    target date for this is pending.\n\n\nRecommendation 8\t   The Office of Programs should re-communicate to the appropriate staff\n                    that all order authorization forms, evidence of receipt and acceptance and\n                    payment approvals supporting medical examinations and consultative\n                    opinions need to be maintained in the files.\n\n\nOP response\t        The Office of Programs agrees to this recommendation.\n\n                    We will include a reminder to examiners during the next monthly training\n                    agenda which includes pertinent procedural, informational and reminder\n                    notices to disability examiners.\n\n                    Target completion date: April 30,2009.\n\n\n\n\n                                              35\n\x0c                                                                           Appendix V\n\n                                                                                 FORM G-1l5f U-92)\n                UNITED STATES GOVERNMENT\n                                                                RAILROAD RETIREMENT BOARD\n                MEMORANDUM\n                                                                      March 27, 2009\n\n\n\nTO\t         Letty Benjamin Jay\n            Assistant Inspector General for Audit\n\n\nFROM\n                                            ior Executive Officer\n\n\nSUBJECT:\t Draft      . ort-Audit of Internal Control Over Accounts Payable\n\n\n\nIn response to your draft report dated March 16, 2009, I have reviewed the findings and\nrecommendations, and in particular, the two recommendations concerning the Office of\nAdministration.\n\nI concur with recommendation #12, "the Office of Administration implement a revised\nForm 0-753 that does not require the employees\' social security numbers (SSNs)". The\nRRB should reduce exposure of employee SSNs and revising this form, which is used to\nreimburse employee medical expenses, will do so. The recommendation should be\nimplemented by June 30, 2009.\n\nThe second recommendation #15, "review and update the identified policies and\nprocedures related to the procurement process" will also be implemented. We will update\nAdministrative Circular OA-14 to contain information on expedited payments or\nprocedures for early payment. We will also work with legal counsel to update Basic\nBoard Order 5 to include references to appropriate laws or regulations in the coverage of\nseverable contracts. This recommendation will be implemented by June 30, 2009.\n\nThank you for the opportunity to comment on the draft report.\n\n\ncc:\t General Counsel\n     Chief Financial Officer\n     Supervisory Contract Specialist\n     Asst. to Director of Administration\n     Executive Asst. to Director of Administration\n\n\n\n\n                                          36\n\x0c'